Mitigating attacks on critical infrastructure

Australians have recently experienced the devastating impact of cyber attacks on critical infrastructure. The data hacks of telecommunications giant Optus and private health insurer Medibank have thrust the cybersecurity practices of critical infrastructure operators, government organisations and agencies into the spotlight.

Tech professionals in government play a vital role in shoring up the cybersecurity of Australia’s most important pieces of critical infrastructure. In addition, they also shoulder the burden of constantly staying ahead of malicious online actors to adapt to an ever-changing threat landscape.

According to the Australian Signals Directorate, Director-General Rachel Noble, a quarter of cyber attacks identified in 2021 were against critical infrastructure. In nearly 60% of the ransomware incidents in the same year, the victim company agreed to pay the ransom to avoid further disruptions to their business.

The 2022 Verizon ‘Data Breach Investigations Report’ (DBIR), which studied 23,896 security incidents, of which 5212 were confirmed data breaches, found that ransomware from organised crime groups targeting critical infrastructure increased by 13% in 2021 — more than the previous five years combined.

The legislative landscape has expanded

Following the introduction of legislation earlier this year, the stakes have never been higher for critical infrastructure operators and tech experts in the public service, and the risks have never been greater.

The federal government recently made significant reforms to Australia’s critical infrastructure policies in terms of cybersecurity, which expanded the definition of critical infrastructure to include 11 industry sectors. These reforms expanded the obligations and application of critical infrastructure laws and made incident reporting mandatory within 12 hours of an incident. Furthermore, this legislation now covers organisations within electricity, communications, data storage or processing, financial services, water, healthcare, medical, higher education, research, food and grocery, transport, space technology, and defence industries.

This has led to more focus on strengthening cyber protections within the public sector and expanded the government’s role in protecting critical infrastructure.

Focusing on the basics

There are many things that government tech experts can do to improve cybersecurity within government agencies and departments, and the broader critical infrastructure network of the country.

Getting support from C-suite executives has typically been one of the central challenges, but things are starting to change for the better. Awareness is growing among company executives — the recent high-profile incidents have illustrated why cybersecurity needs to be at the forefront of all elements of a business’s operations.

But funding for these practices is still a major issue, and more budget is always needed.

This is where tech experts need to be looking to partnerships to help to combat a lack of adequate funding and resourcing. The Australian Cyber Security Centre (ACSC) has a partnership program, cybersecurity assessments, certification frameworks and specific programs like the Cyber Security Business Connect and Protect Programme.

State governments have also become increasingly active in this space, with Victoria making its water utilities subject to the Victorian Protective Data Security Framework. New South Wales has made its own utilities subject to the ICT Purchasing Framework and Cyber Security Policy.

For most tech experts within government, managed service partnerships are an effective and efficient way to combat the issue of a lack of funding. These providers have the scale to deal with attacks that most critical infrastructure organisations probably cannot. They can also provide around-the-clock support.

The public sector should participate in more of these partnerships and encourage critical infrastructure operators to adopt the same approach.

Lessons learned from enterprise

This year’s DBIR has identified that the supply chain is the most likely place threat actors will start an attack. The report found that the supply chain was responsible for 62% of system intrusion incidents this year and was responsible for 9% of the total incidents in the report.

Protecting supply chains has also been identified as a key aspect of developing cyber resilience by the federal government in its critical infrastructure reforms, being included as one of the four key ‘hazard domains’ in the risk management program that is now mandatory for critical infrastructure companies to comply with.

Take Japanese multinational Astellas Pharma. With 14,000 employees around the world, Astellas is a major global pharmaceutical player — a highly regulated industry. The company has worked with Verizon to deploy a next-generation secure network infrastructure that allows Astellas to securely manage its tens of thousands of devices and endpoints across its 70+ locations.

Fujifilm, a company traditionally viewed as a photographic and film equipment business, has now expanded into health care, materials, business innovation and imaging. The company has deployed Verizon Business Group’s Advanced Security Operations Centre in Canberra, to strengthen its global cybersecurity monitoring and cyber intelligence capabilities.

These are examples of partnerships that can help a company strengthen its cyber protections without ‘breaking the budget’, and ways that companies in the supply chain for larger critical infrastructure firms can shore up their defences in an efficient and effective manner.

Remaining cyber vigilant during a cyber skills shortage

These partnerships are also an effective tool to assist in combating the growing cyber skills gap.

According to a 2020 report by the Cybersecurity Workforce, companies need about three million qualified cybersecurity workers, a huge gap between the current availability. Nearly 65% of those surveyed for the report said their organisations have been impacted by this skills gap.

Partnering with third parties who specialise in providing security services can help to reduce the huge impact the skills gap is having, and can also provide 24/7/365 coverage, something which is needed to combat the cyberthreat.

Government organisations and critical infrastructure operators need to continually reassess their defences and realign their spending with their needs. Too many organisations still have legacy security measures in place that will have little impact in the event of a sophisticated cyber attack, and these systems need to be regularly reassessed for efficacy and efficiency.

With the recent government reforms, complying with the various new regulations can be onerous and costly for organisations. But this must be viewed as a positive way to incorporate cybersecurity across all company objectives and into the roles of all employees.

Image credit: iStock.com/HT Ganzo